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Abstract 



Rabi and Sherman [RS97] present a cryptographic paradigm based on associa- 
tive, one-way functions that are strong (i.e., hard to invert even if one of their 
arguments is given) and total. Hemaspaandra and Rothe [ HR99(| proved that such 



powerful one-way functions exist exactly if (standard) one-way functions exist, thus 
showing that the associative one-way function approach is as plausible as previous 
approaches. In the present paper, we study the degree of ambiguity of one-way 
functions. Rabi and Sherman showed that no associative one-way function (over 
a universe having at least two elements) can be unambiguous (i.e., one-to-one). 
Nonetheless, we prove that if standard, unambiguous, one-way functions exist, then 
there exist strong, total, associative, one-way functions that are C(n)-to-one. This 
puts a reasonable upper bound on the ambiguity. Our other main results are: 

LP/ FewP if and only if there exists an (n^^-to-one, strong, total AOWF. 

2. No 0(l)-to-one total, associative functions exist in E* x E* — > E*. 

3. For every nondecreasing, unbounded, total, recursive function g : N — > N, 
there is a (/(n)-to-one, total, commutative, associative, recursive function in 
E* x E* -> E*. 

Keywords: associativity, computational complexity, crypto complexity, cryp- 
tography, ambiguity, algebraic cryptography, one-way functions. 



1 Introduction 

Rabi and Sherman |RS97]] describe protocols for two-party secret-key agreement 
(due to Rivest and Sherman) and for digital signatures that use strong (i.e., 2-ary, 
one-way functions that are hard to invert, even if one of their arguments is given), to- 
tal, associative, one-way functions as cryptographic primitives. Hemaspaandra and 
Rothe @R99] prove that such powerful one-way functions exist exactly if (stan- 



dard) one-way functions exist, thus showing that the associative one-way function 
approach is as plausible as previous approaches. 

In this paper, we study the ambiguity of one-way functions. Rabi and Sherman 
showed that no total, associative, one-way function (over a universe having at least 
two elements) can be unambiguous (i.e. one-to-one). We strengthen this result in 
our domain of interest by proving that no total, associative function in E* x E* — > E* 
is C(l)-to-one. Nonetheless, we prove that, if standard (i.e., 1-ary), unambiguous, 
one-way functions exist, then there exist strong, total, associative, one-way functions 
that are C(n)-to-one, thereby putting a reasonable upper bound on the ambiguity. 

This paper is organized as follows: in Section 3, we prove — as mentioned above — 
that no total, associative, function in E* x E* — > E* is C(l)-to-one. In addition, we 
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prove that, for every nondecreasing, unbounded, total, recursive function g there 
exists a g(n)-to-one total, associative, commutative recursive function in E* x E* — > 
S*. In Section 4, we prove that, if standard, unambiguous, one-way functions exist, 
then C(n)-to-one, strong, total, associative, one-way functions exist, and that FewP 
/ P exactly if re°W-to -one, strong, total, associative one-way functions exist. In 
Section 5, we prove a lower bound on the ambiguity of the class of total, associative 
functions in E* x E* —* E* whose output strings are polynomially bounded with 
respect to their inputs (note that strong, total, associative, one-way functions are 
a subclass of this class). Finally, Section 6 presents the conclusion and poses open 
questions. 



2 Preliminaries 

Fix the alphabet E = {0, 1}, and let E* denote the set of all strings over E. We 
denote the set of all real numbers by M. and the set of all natural numbers (i.e., 
integers greater than or equal to zero) by N. 

For any two sets S and T, S x T is the set {(s, t) | (s G S) A (t G T)}. We use 
YYi=i &i as shorthand for Si x • • • x S n . 

We define U over both subsets and multisets of E* (a multiset is a set in which 
multiple instances of the same element may appear). If A and B are both sets, then 
A U B is the union of A and B. If Am and Bm are multisets, then Am U Bm is the 
multiset that contains exactly all of the instances of all the elements of Am and Bm 
and nothing else. If A is a (multi)set, ||^4|| is the cardinality of A. For all sets A, we 
define Ai(A) to be the set of all multisets whose elements are members of A (a.k.a 
the "power multiset" of A). We will sometimes write a set as {ai, . . . ,a n } where 
ax, . . . ,a n are its elements, and we will write a multiset as {ai, . . . ,a n }M, where 
a\, . . . , a n are its (possibly not distinct) elements. We may encode a set or multiset 
as a single string, using some recursive, recursively-invertible, one-to-one function. 
For example, we can order the elements of the (multi)set, double each character of 
each element (except for e, which we denote as 10), and separate each element with 
01. 

Throughout this paper, we will use "logx" to mean "log 2 x." 



A language L C E* is in UP [Val7(;] if and only if there exists a nondeterministic 



Turing machine M that accepts L, runs in polynomial time, and has for all inputs 



at most one accepting path. A language L C E* is in FewP [AR85] if and only if 
there exists a polynomial p and a nondeterministic Turing machine M that accepts 
L, runs in polynomial time, and on each input s € S* has at most p(|s|) accepting 
paths. 

Let / : A — > B denote the function /, where A is the domain of / and 
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B is the range of f. A function is total if it is defined on each element in its 
domain. The image of /, denoted as im(/), is the set {b G B \ (3a G 
A)[f(a) is defined and equal to b]}. The preimage set of b G B, denoted f~ l {b) 
is {a G .A | f(a) is defined and equal to b}. A function g : B — > A, inverts f if and 
only if, for all 6 € im(/), 5(6) is defined, f(g(b)) is defined, and f(g(b)) = b. We 
say that / : A — > £? is FP-invertible if and only if there exists a function g : B — » A 
such that g inverts / and 5 G FP. 

Throughout this paper, we use the phrase "2-ary function" to mean "two- 
argument function" and the phrase "1-ary function" to mean "one-argument func- 
tion." Unless explicitly stated as being partial, all 2-ary functions are total over 
X* x X*. For any 2-ary function a, we will interchangeably use prefix and infix 
notation, i.e., a(x,y) = xay. 

We will sometimes encode pairs of strings as a single string, using some standard, 
total, bijective, polynomial-time computable pairing function (•,•): E* x X* —> X* 
that has polynomial-time computable inverses and is nondecreasing in each argu- 
ment when the other argument is fixed. 

A function / : A — > X* is unbounded if, for all n G N, there exists an s G A such 
that \f(s)\ > n. 

Grollman and Selman [GS88| (see also Ko's independent work [ Ko85| ]) provided 



the first independent study of complexity-theoretic 1-ary, one-to-one one-way func- 
tions. Definition bel ow is the standard definition of a (complexity-theoretic) 



one-way function | GS88 | for the case of 2-ary functions that are not one-to-one 
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Definition 2.1 \RS9% [HR99\] Let a : X* x X* — > X* be an arbitrary 2-ary function. 



1 . We say a is honest if and only if there exists some polynomial p such that for 
every z G im(<r) there exists a pair (x,y) G a~ 1 (z) such that \x\ + \y\ < p(\z\). 

2. We say a is a one-way function if and only if a is honest, polynomial-time 
computable, and not FP-invertible. 



Definition 2.2 jfiRMj , \RJ39%] Let a : X* x X* 
We say a is associative if and only if xo~(yo~z) = 



-» X* be any total 2-ary function. 
(xay)crz. 



Actually, Rabi and Sherman [RS97] deal only with a notion known (in the 
nomenclature of Hemaspaandra and Rothe [ HR99| ] ) as weak associativity, while 
Hemaspaandra and Rothe deal with both weak associativity and associativity. Def- 
inition |2.2| is that of associativity, but the difference between the two notions is 
not relevant for us since for total functions the two notions are known to coincide 
|HR9|]. 
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Definition 2.3 \HR9% \RS9ljl A total 2-ary function a : S* x S* -> S* is an 

associative one-way function (AOWF) if and only if a is both associative and one- 
way. 



Definition 2.4 , HR99\ , RS91 ] A total 2-ary function a is said to be strong if and 
only if a is not FP-invertible, even if one of its arguments is given. More formally, 
a 2-ary function a is strong if and only if neither (a) nor (b) holds: 

(a) There exists a function g\ £ FP such that for every z £ im(cr) and for each 
x £ Ti* , if a(x,y) = z for some y £ £*, then gi((x,z)) is defined and 
o-(x,gi((x,z))) = z. 

(b) There exists a function <?2 £ FP such that for every z £ im(cr) and for 
each y £ S*, if a(x,y) = z for some x £ £*, then g2((y,z)) is defined and 
<?(92((y,z)),y) = z- 

It is known that, unless P 7^ NP, some strongly noninvertible functions are 
invertible RHPROOfl . We now define bounded ambiguity for functions over strings. 

Definition 2.5 Let h : N -> N. We say a function a : (l\i=i s *) s * is h(n)-to- 
one if and only if 

k 

(Vy£im(o-))[\\{xellZ* \ a(x) = y}\\ < h(\y\)]. 



3 Total, Associative Functions 

In this section we significantly raise the known lower bounds on the ambiguity of 
total, associative functions in S* x T,* — > £*, thereby raising the same bounds for 
the class of total AOWFs. Our goal is to prove that no such constant-to-one, total, 
associative functions exist. We will first prove a slightly stronger claim, from which 
our desired result follows immediately. 

Lemma 3.1 For every total, associative function a : X* x S* — > X* and every 
k £ N there exists a string t £ X* for which at least one of the following conditions 
is true 

(a) ||{x££* I (x/t)A(3y€S*)[(x,y)£a- 1 (t)]}||>A:. 

(b) !|{y€£* I (y/t)A(3x£S*)[(x,y)£a- 1 (t)]}||>fc. 

Proof. We prove the lemma by induction on k. Let a : £* x £* — > £* be a total, 
associative function. 
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Basis case (k = 0): 

For k = 0, both (a) and (b) above hold trivially. 

Basis case (k = 1): 

Let x,y G S* be such that x ^ y. Since a is total, (3t G £*)[£ = xay]. Since 
x ^ y, either x / t or y 7^ t (or both). Therefore, for fe = 1, generates 
one of the sets that satisfies one of conditions (a) or (b) above. 

Induction step: 

Let k G N such that k > 1. Suppose that no set of size greater than or equal 
to k + 1 exists that satisfies one of conditions (a) or (b) above for a. By the 
induction hypothesis, there exists a i G £* such that (?~ l {t) generates a set of 
size k that satisfies one of conditions (a) or (b) above. In this case, suppose that 
condition (a) is satisfied (the argument for the former case is analogous to the 
latter). By the conditions of (a), there exist strings X\, . . . , x k , y±, ■ ■ ■ , y k G 
(where distinct, and distinct from t) such that 

{(x 1 ,yi),...,(x k ,y k )} C cr _1 (t). 

Choose distinct si, . . . , s k 2 +k+1 G S* satisfying 

{si, . . • , s k 2 +k+1 } n{x!,...,x k ,t} = 0. 

Since a is associative, for each i G {1, 2, . . . , k 2 + fc + 1}, 

(xicryi)crsj = • • • = (x k ay k )asi = x 1 a(y 1 as i ) = ■■■ = x k a(y k asi) (1) 

= tasi (2) 

(the equation on line (2) holds, because, by assumption, for all j G {1, . . . , k}, 
Xjayj = t). Set Ui = tasi. If at least one such Ui is not a member of 
{xi, . . . , x k , t}, then {x±, . . . , x k ,t} satisfies case (a) for U{ and thus contra- 
dicts our assumption that no such set of size k + 1 exists. Otherwise, every 
such Ui is a member of {x\, . . . , t}. Since fc 2 + fc + 1 = (k + l)k + 1, by the 
pigeonhole principle, there exists some t' G {x±, . . . ,x k ,t} such that 

\\{j e{l,2,...,k 2 + k + l} I Uj = t'}\\>k + i. 

Let ^4 = {j G {1, . . . , k 2 + k + 1} | u 3 - = t'}, and observe that \\A\\ > k + 1 
and for each a G A, 

Sa G{yG£* I (y/OA(3xGS*)[(x,y)Ga- 1 (0]}, 

Since we chose distinct Sj this set is large enough to contradict our assumption 
that no such set of size k + 1 exists. 
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□ 

The theorem below follows immediately. 



Theorem 3.2 No total, associative, O(l)-to-one function S* x S* -> X* exists. 



An interesting side effect of the proof of Lemma 3A is that, in order to create an 
image element s with preimage size greater than or equal to k, we need compose 
the total, associative function a with itself no more than k times, assuming that 
we carefully pick the domain elements; in other words, s is the product of no more 
than k+1 "factors." 

Side Effect 3.3 For any total associative function a : X* x X* —* X*, and for 
all k € N such that k > 0, there exists k' < k + 1 and s\, . . . £ X* such that 
\\a~ 1 (sio- ■ ■ ■ crsk')\\ > k. 

We will use this result in Section [|, where we provide a lower bound on the ambiguity 
of all total, associative functions in X* x X* — > X* whose output string lengths are 
polynomially bounded by the length of their corresponding input strings. 

We now prove that, for every nondecreasing, unbounded, total, recursive function 
g : N — ► N, there is a </(n)-to-one, total, commutative, associative, recursive function 
in X* x X* -» X*. 

Theorem 3.4 For every nondecreasing, unbounded, total, recursive function g : 
N — > N ; there is a g(n)-to-one, total, commutative, associative, recursive function 
o \ X* x X* — > X*, thus placing an upper bound on the ambiguity of this class of 
functions. 

Proof. Let g : N — > N be a nondecreasing, unbounded, total, recursive function. 
We will construct a <?(rt)-to-l, total, commutative, associative, recursive function 
a : X* x X* — ► X*. Our construction uses a downward self-reducible trick that 
results in a total, single- valued, one-to-one function prFact : X* — > A4(X* \ im(cr)) 
(recall that M.{-) is the "power multiset" of •) with the following property: 

s G im(<r) if and only if s±a ■ ■ ■ as^ = s, where {si, . . . s^m = prFact(s). 

Since a is associative and commutative, all elements in <7 _1 (s) are of the form 
( s vr(i) fT ' " " fTS 7r(j)) cr ( s 7r(i+i) fT ' " " °~ s Tr(k))i where 7r is a permutation of {1, . . . , k}. It 
follows from simple combinatorics that ||cr _1 (s)|| < Yli=i Hi) = 2 fc — 2. Conversely, 
xay = s if and only if prFact(x) U prFact(y) = {s\, . . . s^}m (prFact is so named 
because the properties mentioned above are very similar to certain properties that 
prime factorizations have over the natural numbers). Thus, if a can first compute 
prFact(x) and prFact(y) before it computes s, it can choose a value for s so that 
s satisfies the ambiguity bound g. 
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This can be done as follows: on input (a, b), a performs the following two phase 
process. The first phase starts with an empty set K (so named because it contains 
the portion of prFact that is currently "known"), to which a will add as elements 
ordered pairs in a well-defined order that is independent of the values (a, b). In 
effect, K at any time t constitutes a partial definition of prFact. We will denote 
partial function defined by K for time t of a running on input (a, b) as prFactj a b , 
i.e., 

Xm, if (x, Xm) € K at time step t of a running on input (a, b) 



rFact (x) — { ^ ( x j^m 

t,a ' b 1 undefined, otherwise. 



Phase one concludes at some time t such that both prFact t a b (a) and prFact t a b (b) 
are defined. If, at time step t, there exists a z E X* such that prFact t a 6 (z) is defined 
and equal to prFact(a) UprFact(fe), then a outputs z. Otherwise, a chooses x € S* 
so that 

1. prFact t a b (x) is not defined, and 

2. g(\x\) > 2H prFactt . a . i '^ UprFactt . a . i '( 6 )ll -2. 

a then adds (x, prFact t a b (a) U prFact t a b (6)} to i^T, outputs x, and halts. 

The partial functions prFact t 6 are, in a sense, analogous to the the stages of a 
finite extension construction used in relativization proofs (in fact our construction is 
in some sense a diagonalization of the ambiguity bound g — one that is computable, 
of course). In order for these partial functions to "add up" to a single function (i.e. 
prFact) that has all the properties we desire, it is crucial that for each pair of input 
strings (a, b) and time step t, the definition of prFact t 6 is consistent with all other 
prFact t / / y in a significant way. By this we mean that 

(VxS*)(3y € £*)(VprFact Mi6 )[(prFact tiaib (x) is undefined) V (prFact t)0i6 (x) = y)\ (4) 

It is also necessary that every prFact t b be one-to-one. We claim that <r, defined 
on input (a, b) by the following procedure, gives rise to such a family of functions. 



1. (Phase one) IF (a, b) + (e,e), LET c = a(a',b') (where (a', b') is 
the string that immediately precedes (a, b) in the lexicographical 
order), and discard c. 

2. LET A M = getFactors(a), 

3. LET B M = getFactors(fr), 

4. (Phase two) OUTPUT getProduct(A M U B M ), 



where getFactors : S* — > 7V4(S*), on input s, is defined by the following procedure: 



1. IF, for some S M € M(E*), (s,S M ) € K, OUTPUT S M , 

2. ELSE LET K = K U {{s, {s} M )}, and OUTPUT {s} M , 



and on input A M G «M(£*), getProduct : M(T,*) — > S* is denned by the following 
procedure: 



1. IF, for some z G £*, (z, Am) G if, OUTPUT z, 

2. ELSE 

(a) LETx = min{y | (g(\y\) > 2^ - 2) A (V(s, 5 M > G ^ 
y]} (where min is defined relative to the lexicographic order- 
ing), 

(b) LET K = K U {(x, Am)}, 

(c) OUTPUT x. 



Note that getFactors and getProduct are the only places where elements are 
added to K. Before we prove our claims, we need the following definition: for all 
(possibly partial) functions a and (3 defined over the same domain and range, we 
say that a extends (3 if, wherever (3 is defined, a is also defined, and for all x G X* 
where (3{x) and a(x) are both defined, (3{x) = a{x). Now, from the definition of a, 
the following claims follow easily: 

1. For all inputs a, b G S* and at every time step t during the execution of 
a, prFact t a b is one-to-one and single- valued. This can easily be proved by 
induction over the lexicographic order of all paired input strings (a,b). 

2. For every two pairs of input strings (a, b), (a',b'), and corresponding time 
steps t and t', either prFact t a 6 extends prFa.ct t , a , b , or prFact t / a / b / extends 
prFact t o6 (this captures our intuition that the partial functions must be 
significantly consistent). This is because the order in which the functions 
getFactors and getProduct are called on particular input values is indepen- 
dent of the input values to a (although, of course, the number of calls in this 
sequence that are made is not), because a never removes elements from K, 
and because the actions that getFactors and getProduct take depend only 
on their respective inputs and on the current value of K. 

Clearly, for every x G £*, there are infinitely many partial functions prFact t b such 
that prFact t 6 (a;) is defined, thus any function extending all such prFact t a b must 
be total. It follows from item two that there is a unique, single- valued function that 
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extends all partial functions prFact t(lb . We will define prFact to be this unique, 
total, single-valued function. We make the following claims: 

Claim 1: (Va, b £ £*) [(prFact (a) = prFact(b)) <3> (a = &)]. 

Otherwise, since each prFact t x is one-to-one and single- valued, prFact 
would not extend any prFact t on which both a and 6 are defined. 

Claim 2: (Va, & £ £*) [prFact (aerb) = prFact(a) U prFact(6)]. 

This follows immediately from the definitions of a and prFact. 

We are now ready to prove our main claims, 
cr is total: 

Clearly, a halts and outputs on every input, therefore it must be total. 

a is associative: 

For all a, b, c G £*, and by claim 2, 

prFact ((aab)ac) = prFact (aab) U prFact (c) 

= prFact(a) U prFact(fr) U prFact(c) 

= prFact (a) U prFact (bac) 

= prFact(acr(6(Tc)). 

By claim 1, (aab)ac = aa(bac). 

a is commutative: 

For all a, b € £*, by claim 2, prFact(ao"6) = prFact(a) U prFact(6) = 
prFact (6) U prFact (a) = prFact (baa). By claim f , aab = baa. 

a is g(n)-to-one: 

By claims 1 and 2 above, for all x G im(cr), and all a, b G £*, (acr6 = x) <^4> 
(prFact (a) U prFact (5) = prFact (x)). There are no more than 2llP rFact WH -2 
such pairs (a,b). Since, for all prFact t z for which x is defined, we have 
(x,prFact(a)UprFact(&)) G K and that (x, prFact(a)UprFact(&)) was added 
to K during a call to getProduct. Since, by the construction of getProduct, 
g{\x\) > 2H prFact ( :c )ll - 2, we conclude that a must be #(n)-to-one. 

We conclude that cr is a c/(n)-to-one, total, commutative, associative, recursive func- 
tion. □ 

4 Total, Associative, One- Way Functions 

We now consider the relationship between strong, total, associative, one-way func- 
tions and two important complexity classes that frequently appear in the literature 
on one-way functions. We will prove that, if P / UP, then an C(n)-to-one AOWF 
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exists, and that P 7^ FewP if and only if an n^W-to-one AOWF exists. Both results 
follow from the lemma below. 



Lemma 4.1 Let g : N — > N be a function and L be a language accepted by a 
nondeterministic Turing machine that runs in polynomial time, and, on each input 
s, has at most g(\s\) accepting paths. If there exists a nondecreasing function f : 
N — > N such that for all nGN, f(n) > max(l, g{n)), and if L g" P ; then there exists 
an O(n(f(n)) 2 )-to-one strong, total AOWF. 

Proof. Let g : N — ► N, / : N — ► N, and L be as assumed above. Let M be a non- 
deterministic Turing machine that accepts L, runs in polynomial time, and on input 
s has no more than <7(|s|) accepting paths. We will use M to build an associative, 
one-way function a : S* x X* — > S* that is strong, total, and C(n(/(n)) 2 )-to-one. 

First, we introduce some notation. Let a G £*, and let i G N be such that i > 1. 
Define ct(j) and as follows: if i < |a|, then is the ith character (counting 
from the left) of a, and ci(i+) is the substring of a consisting of all characters in a 
starting from the ith. If i > \a\, then a^ = a(i+) = e. 

We define the set of witnesses for x G L with respect to M by 

WITm (x) = {w I is a witness for "x G L"}. 

Since M(x) has at most accepting paths, < ||WITm(x)|| < and 

||WITjw(x)|| = if and only if x ^ L. We will assume, without loss of generality, 
that there exists a strictly increasing polynomial p that depends only on M such 
that for each x G L, and for each w G WYTm(x), \w\ = p(\x\) and p(\x\) > \x\. 

To make a easier to understand, we will construct it from several subroutines. 
The first plays the role of a "one-way gate." We define the subroutine 7 : S* — > S* 
as follows: 



7(d) 



lx if (3x G L)(3w G WlT M {x))[d = (x,w)], 
Od otherwise. 



Clearly, 7 is total, and for all t G im(7), ||7 _1 (0II < /(!*! ~ !)■ For c G s % 
/? : S* — > S* is defined as follows: 



P(c) = { 



07(c(2+)) if C(i) = 1, 
111 ifc = e, 



00c( 4+ ) if C(!) = 0. 



Clearly, /? is total. Suppose that e G im(/3). Consider the maximum size of 1 (e). 
First, from the definition of (3, emep) G {00,01, 11}. Consider each case below: 

Case 1: 

If e (1) e (2) = 11, then /3 _1 (e) = {e}, therefore |t/3 _1 ( e )ll = 1- 
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Case 2: 

If e (i) e (2) = 01, then e (3+) G L and /? _1 (e) = 1 7 _1 ( e (2+)) = { 1 (e (3+) ,u;) | 
w G WIT M (e (3+) )}. It follows that ||/3 _1 (e)|| < f{\e\ - 2). 

Case 3: 

If e (1) e (2 ) = 00, then /3 _1 (e) C Z, where Z = {0, 00, 01} U {0xye {3+) \ x, y G 
{0, 1}} U {le {3+) }, therefore ||^- 1 (e)[| < 8. 

We define the 2-ary function a : £* x £* — > S* as 

a(a, 6) = 0(6 (1) • a( 2 ))(a(i) ■ 6( 2 ))a(3+)&(3+), 

where • is scalar multiplication. Finally, We define the 2-ary function a : S* x S* — > 

S* as 

<r(s,t) = a(/?(s),/3(t)) 

Clearly, cr is total and honest. We claim that <r is 0(ro(/(ro)) 2 )-to-one, associative, 
one-way, and strong. 

<r is associative: 

Let s,t,u G X* and s' = (3(s),t f = 0(t),u' = /3(u). First, observe that 

= /?(«(*', 0) 

= /?(0(t( 1 ) • S( 2 ))(S(l) • *(2)) s (3+)*(3+)) 
= 00S( 3+ )t( 3+ ). 

Now, using the above equation where necessary, 

(s<rt)<™ = a(i3{a((3{s),(3(t))),(3{u)) 

= 0(li' (1) • 0)(0 • «(2))*(3+)*(3+) u (3+) 

= 000S(3 + ^( 3+ )U( 3+ ) 

= 0(0 • S(2))(S( 1 ) • 0)S(3+)*(3+) U (3+) 

= a(s / ,00t / (3+) u / (3+) ) 
= sa(tau). 

a is C?(n(/(n)) 2 )-to-one: 

Suppose that y is in the image of a. It follows that |y| > 3, and that there 
are exactly \y\ — 2 pairs of string suffixes (a( 3 +) , &(3+) ) G £* x X* such that 
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2/(4+) = °(3+)fr(3+)- By the construction of a, 2/(1) = 0. The following table 
lists all of the possible preimage values (s,t) of y, given y^ 2 ), 2/(3), a = (3(s), 
and b = f3{t). 



2/(2) 


2/(3) 


6(1) -a (2) 


a (D ■ b (2) 


s 




t 










■ 


• 


z 




z 










■ 


• 1 


z 




{l(6( 3+) , ™) 


w e WIT M (6(3+))} 








■ 1 


• 


{l(a( 3+) ,u>) 


«i€WIT M (a (3+) )} 


Z 










■ 1 


■ 1 


{l{a (3+) ,w) 


«i€WIT M (a (3+) )} 


{1(6(3+),™) 


w e WIT M (6(3+))} 








1 ■ 


• 1 


Z 














• 1 


1 • 


W 




Z 




1 





1 ■ 1 


• 1 


{1>(3+),™} 


we WIT M (a( 3+ ))} 









1 


■ 1 


1 • 1 






{1(6(3+), w) 


w e WITm(6( 3 +))} 


1 


1 


1 ■ 1 


1 • 1 






w 





It is easy to see (by counting the number of distinct elements for a given 
set of 2/(2)2/(3) ) that for each «(3+) there are at most f(\a\ —2) + 9 elements 
s such that a = /3(s), and likewise for 6(3+). In sum, then, since / is 
nondecreasing, there are no more than (n — 2)(f(n — 2) + 9) 2 preimage 
elements (s,t) such that sat = y, so a must be 0(n(/(n)) 2 )-to-one. 

a is one-way: 

Suppose that there is some polynomial-time computable function g : 
S* — > S* x S* that inverts <r. We could then decide L in polynomial time 
as follows: 

Given any input string s G S*, to decide if s G L, compute 
27(001 Is) and accept s if and only if g (00 lis) is defined and is 
equal to (e, l(s,w)), where w G WITm(s). 

Therefore, we conclude that a must be one-way. 

(j is strong: 

Suppose that there is some polynomial-time computable function g\ : 
YT — > S* such that for all strings c G im(cr), and for all a G £*, if aa6 = c 
for some 6 G S*, then gi({a, c)) is defined and aagi((a, c)) — c. We could 
then decide L in polynomial time as follows: 

Given any input string s G £*, to decide if s G L, compute 
gi(e, 0011s) and accept s if and only if g\(e, 0011s) is defined 
and is equal to l(s, it?), where it? G WITm(s). 

By an analogous argument, if we assume that there is some function 
g 2 : S* — > S* such that for all strings c in the image of a, and for 
all b G £*, if aab = c for some a G E*, then g 2 ({b,c)) is defined and 
272 ((b, c))ab — c, then we arrive at the same contradiction. 
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We conclude that a is a strong, total, C(n)-to-one, associative, one-way func- 
tion. □ 

The following theorems and corollary follow immediately: 

Theorem 4.2 If P ^ UP, then there exists an O(n)-to-one, strong, total AOWF. 

Proof. If L € UP — P, then L is accepted by a nondeterministic Turing machine 
that runs in polynomial time and has, at most, one accepting path. Taking f(n) = 
g{n) = 1, by Lemma |4.1| there exists an C(n)-to-one AOWF. □ 

From Grollmann and Selman's proof that 1-ary, unambiguous one-way functions 



exist if and only if P ^ UP [GS85], the corollary below follows. 



Corollary 4.3 // there exists a 1-ary, unambiguous, one-way function, then there 
exists an O(n)-to-one, strong, total AOWF. 

Theorem 4.4 P ^ FewP if and only if there exists an n ^ -to-one, strong, total 
AOWF. 

Proof. For the "only if" direction, suppose that L ^ P is a language accepted 
by a nondeterministic Turing machine that runs in polynomial time and, on input 
s, has at most accepting paths (where p is a polynomial). We can easily find 

another polynomial q that is nondecreasing and greater than or equal to max(l,^). 
By Lemma |4.1| , there exists an C(n(g(n)) 2 )-to-one strong, total AOWF. 

For the "if" direction, if there exists an (n^^-to-one, strong, total AOWF a, 
then there exists a 1-ary (n^^-to-one one-way function (just compose a with the 
inverse of a standard pairing function). Allender [ A118(j , Theorem 6] proves that 



FewP ^ P if there exists a (1-ary) (n^^-to-one one-way function, therefore FewP 
^ P. □ 



We should point out that Rabi and Sherman [RS97] describe a multi-party se- 
cret key agreement protocol, due to Rivest and Sherman, that uses strong, total, 
commutative AOWFs. Hemaspaandra and Rothe | HR99|| prove that strong, total, 



commutative AOWFs exist exactly if P ^ NP. Assuming that P ^ UP, we conjecture 
that their construction could easily be modified to yield strong, total, commutative 
AOWFs that are constant-to-one for all but one element in the image. On the other 



hand, under the same conditions as in Lemma |4.1| , and using similar techniques, we 
constructed a 2°( n )-to-one strong, total, commutative AOWF. Since this result is 
not much of a gain, and since the proof is rather technical, we omit it here. 
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5 Total, Associative Functions with Polyno- 
mially Bounded Outputs 

The results of the previous section prove that, under certain common complexity- 
theoretic assumptions, there are low-ambiguity strong, total AOWFs. But how low 
can we go? Prom Theorem [3.2| we know that under no conditions do constant-to-one, 
total, associative functions exist in S* xE* — > £*. Here we show how to raise this 
lower bound when we restrict ourselves to the subclass of this class whose members 
a have the following property: 

(3 polynomial p)(Vsi, S2 G £*)[|si<7S2| < £>(max{|si|, (5) 

Obviously, any lower bound on this subclass is also a lower bound on the subclass 
of all strong, total AOWFs (assuming they exist). 

Our approach here is straightforward. We will assume, for the purpose of ob- 
taining a contradiction, that a total, associative function in X* x X* — > X* exists 
whose ambiguity is less than the proposed lower bound. We will then construct an 
image element of the function, using Corollary and Lemma 5.3, whose preimage 
set is larger than our assumed lower bound allows. Corollary lk2 follows from the 
lemma below. 

Lemma 5.1 Suppose that a : X* x X* — > X* is a total, associative function. For 
every k G N such that k > 1, there exists a k' < k + 1 and s±, . . . , s&' G X* such that 



1. si<t ■ ■ ■ crsfc', satisfies condition (a) or (b) from Lemma 3A_ for k, 

2. 2<rnax{|si|,...,M} < [21og(ft + 1)"|, 

Proof. Let a be an associative function in S*xE* — > S*. We will prove the above 
lemma by induction over k. First, assume that k = 1. Clearly, ecrOO satisfies the 
conditions of the lemma. 

Next, suppose that k > 1. By the induction hypothesis, there exists si, . . . , sy G 



X* such that si<7 ■ ■ ■ osy satisfies one of conditions (a) or (6) from Lemma 3.1, that 
2 < max{|si |, . . . , |sjfe'|} < [2 log(fc+l)] , and that k' < k+1. Assume, that, for k+1, 
no si, . . . , Sfc/ exist with the above properties. Assume, by the induction hypothesis, 
and without loss of generality, that s\a ■ ■ ■ o~Sk> satisfies condition (a) from Lemma 
|3.1| (the argument in the case that condition (b) is satisfied is analogous). By 
assumption and by the induction hypothesis, the cardinality of the set 

S = {x G X* | {x t) A (3y G E*)[(x,y) G <J-\t)]} 

is equal to k, where t = s\a---ay. We choose the set T C S* subject to the 
following constraints 
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• 5nr = 0, 

• ||T|| = k 2 + k + l, 

• (Vs G £*,t G T)[s GT^ ((|i| < |s|) Vfl G S)] 

(the third constraint means that the elements of T are the shortest possible strings 
that will produce the results desired below). Clearly, such a T exists. It follows 
from the proof of Lemma |3.l| that for at least one t' G T, the string s\o ■ ■ ■ ask'ct' 
satisfies condition (a) or (b) of Lemma |3.1| . Also, if t' G T, then t' will be one of 
the shortest k + l + k 2 + k + l = (k + l) 2 + l strings in £*. Thus \t'\ < max{\t\ | 
t£T}< (log((Jfe + l) 2 + l)] < [log((A; + 2) 2 )] = r21og(/c + 2)]. But since by the 
induction hypothesis max{|si|, . . . , \sk>\} < [~21og(/c + 1)], s%a ■■■ assert' satisfies 
condition 2 above. □ 

The corollary below follows immediately. 

Corollary 5.2 Suppose that a : X* x S* — > S* is a total, associative function. For 
every k G N such that k > 1, there exists a k' < k + 1 and s\, . . . , Sk' G S* such that 

1. ||cj _1 (sicr • • • ask') \\ > k, 

2. 2 < max{|si|,...,|s fc /j} < [2 log(fc + 1)] , 

Next, we provide an upper bound on the size of the output of any associative 
function whose outputs are polynomially bounded by its input sizes. 

Lemma 5.3 Let a be any total, 2-ary function in E* x S* — > S*. If a satisfies 
formula then 

{3j G N : j > l)(Vfc G N : k > l)(Vsi, . . . , s k G E*)[|ai<7 • • • as k \ < (max{2, . . . , M}/' 08 * 1 ]. (6) 

Proof. Suppose that a satisfies formula (|5|). We can write formula (g) equivalently 

as 

(3m, i G N : % > 0)(Vsi,s 2 G E*)[(max{|si|, |s 2 |} > m) (|sicrs 2 | < (max{|si|, |s 2 |})*)] 5 

We will use induction over fc to prove that j = max{i + 1, 1 + [~log(max{|a;<7y| : 
(\x\ <m)A(\y\ < m)})~\ } satisfies the conditions of the lemma. Suppose that k = 2. 
It follows immediately that, for all s\,S2 G E*, |sicrs2 1 < (max{2, |si|, | S2 1 }- )-' - 
Next, suppose that k = 3. By associativity, 

\sias 2 crs 3 \ = |(si(TS2)crs3| 

< (max{(max{2, |s a |, \s 2 \}) j , \s3\W 

< (max{(max{2, |si|, |s 2 |, \s3\W , \s3\W 
= ((max{2, |si|, |s 2 |, |s3|}) J ) J . 
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for our choice of j. Now, 

■2 

((max{2, \s 1 \,\s 2 \,\s 3 \}yy = (max{2, \s 2 \, \s3\W 

= (max{2, \sx\, \s 2 \, \s 3 \}) j l0S ^ ■ 

Suppose that k > 3. Let k' be a natural number satisfying k > k' > 1. By the 
induction hypothesis, 

(Vsi, . . . G S*)[|sicr---crsfc'| < (max{2, . . . , |s fc '|})- ?ri ° g '" ] ]. 
By associativity, 

\S1(T ■ ■ ■ <TSk+l\ = \(Sj(T- ■ ■ GSyk + l\)(j{Syk+l\ hl CT- • ■ (7Sfc+l)| 



< (max{(max{2, . . . , |s L fe±ij S ^ r ~ , (max{2, Is^+ij hl |, |sfc+] II) 



/log, 



< ((max{2, . . . , |s fc+ i|}) irios<fc+1)1 

j-riogffc+i)! 



= (max{2, . . . , 

(to see why [log^^i])] < flog(jfe+l)]-l, consider that [log(r£±l])] < log(^) + 
l = log(fc + l) < riog(A; + l)l). □ 

Now, we combine the results of Lemma and Corollary 5^ to prove a lower 
bound on the "many-to-one" -ness of functions that satisfy formula (j^). 

Theorem 5.4 For every total, associative function a : X* x S* — > S* £/iai satisfies 
formula there exists an I € N where I > 1 suc/i i/iai a is no£ o(g(n))-to-one, 
where g : N — > N inverts / : {r £ I | r > 1} — > N, defined as f{n) = [21ogn]' ° g " . 

Proof. Suppose that a : S* x S* — > S* is a total, associative function that satisfies 
formula (|5|) . By Lemma ([5l]) , there exists j & N where j > 1 such that for all € N 
where > 1, and all si, . . . , sj. S S*, |si<r • • • ask\ < (max{2, |sx|, . . . , |sfc|}) 3 '' lo8fc '' . 
We will prove, by contradiction, that a is not o(g(n))-to-l, where g inverts / : {r € 
R I r > 1} -» N, defined as /(n) = [2 log n] ' r '° s " ] . 

Assume that, for all I > 1, <r is o(g(n))-to-one. Let / = [j 2 ]. By assumption, 

max{||cr -1 (s)|| J \s\ = m} 



(V<5 G M)(3N e N)(Vm > iV) 



< <5 



(7) 



g(m) 

Suppose that 5 = 1. Choose N € N such that N satisfies equation (|7|). Let 

n = 8 + max{\\a' 1 (s')\\ | \s'\<N}. (8) 



By Corollary 5.2, for some n' < n, there exists s\, . . . ,s n i € X* such that 
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1. \\a 1 (si(J • • • cs n ')|| > n — 1, 

2. 2<max{|si|,...,|s n /|} < [21og(n)], 

Let m = \s\a ■ ■ ■ as n i |. By equation (||) and item 1 above, m > N . Since 
||<7 _1 (m)|| > n — 1, we have max{||cr _1 (s)|| |s| = m} > n — 1. By Lemma 
|5.3| (and because max{|si|, . . . , |s n '|} > 2), 

m < (max{|si|, . . . , |s n /|}) J ' ri ° gn 1 < (max{|si j, . . . , \s n > [}}? rio ° nl . 
By item 2 above, max{|si|, . . . , |s n /|} < [~21og(n)~|, therefore 

m < [~2 log(n)] jr s( ^ . 

Now, 

/(n-1) = r21og(n-l)l^ ri ° g( "- 1)1 , 



which, since n > 8, j > 1, 



> |21ogn] J 

> m. 



Since / is nondecreasing, 



n — 1 > <?(m) 
max{||o" _1 (s)|| j |s| = to} > n — 1 > <?(to) 
max{||o" _1 (s)|| j |s| = to} 



g(m) 



> 1, 



thus, for I = [~j 2 ] and 5 = 1, and for all N £ N, there exists m > N such that 
max{||o- | |s|-m} ^ ^ con t rac }icts our assumption that a is o(g(n))-to-l. 

□ 

There still remains a very large gap between the known ambiguity of the class 
of strong, total AWOFs under various existence assumptions, and the lower bound 
of this property. We believe that stronger results are possible. 



6 Conclusion and Open Problems 

We proved that, if unambiguous one-way functions exist, then we can construct 
strong, total AOWFs with low ambiguity, and that ra^W-to-one strong total AOWFs 
exist exactly if P ^ FewP. Without appeal to "one-way" -ness, we proved that no 



17 



total, associative, recursive function in X* x X* — > X* is 0(1), and that, for every 
nondecreasing, unbounded, total, recursive function g : N — > N, there exists a g(n)- 
to-one total, associative, commutative recursive function in E* x S* -> S*. Finally, 
we proved that, for every total, associative function a in X* x X* — » X* whose output 
strings are polynomially bounded by the lengths of their corresponding input strings, 
there exists a natural number I > 1 such that the ambiguity of a is not o(g(n))-to- 
one, where g inverts / : {r E R | r > 1} — > N, defined as f(n) = |~2 log n\ ^' og . 

We mention two open problems. First, what is the tight lower bound on the 
ambiguity of the class of strong, total AOWFs? Second, are there any conditions 
under which strong, total, commutative, AOWF exist that have reasonable limits 
on their ambiguity? 
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